diff --git a/charts/wg-easy/item.yaml b/charts/wg-easy/item.yaml index c3ea148f5e..cd6a0cf5cc 100644 --- a/charts/wg-easy/item.yaml +++ b/charts/wg-easy/item.yaml @@ -4,5 +4,6 @@ categories: screenshots: - https://media.sys.truenas.net/apps/wg-easy/screenshots/screenshot1.png tags: - - vpn - wireguard + - network + - vpn diff --git a/library/ix-dev/charts/wg-easy/Chart.lock b/library/ix-dev/charts/wg-easy/Chart.lock index 48e620603c..12f832f4ec 100644 --- a/library/ix-dev/charts/wg-easy/Chart.lock +++ b/library/ix-dev/charts/wg-easy/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common - repository: file://../../../common/2304.0.1 - version: 2304.0.1 -digest: sha256:1ed155c6760e1166e2cb75b52bc5e81c6bdf0252c16ff5ede001157077c41670 -generated: "2023-04-24T13:41:50.229362574+03:00" + repository: file://../../../common + version: 1.2.3 +digest: sha256:e6ff49b06bf5d4d159e505ae6d153f36cd46170bb519caf90462cd5caebfd0fb +generated: "2023-11-08T20:13:57.295656002+02:00" diff --git a/library/ix-dev/charts/wg-easy/Chart.yaml b/library/ix-dev/charts/wg-easy/Chart.yaml index 7e96b9b7bc..37e441d7a9 100644 --- a/library/ix-dev/charts/wg-easy/Chart.yaml +++ b/library/ix-dev/charts/wg-easy/Chart.yaml @@ -3,7 +3,7 @@ description: WG-Easy is the easiest way to install & manage WireGuard! annotations: title: WG Easy type: application -version: 1.0.12 +version: 2.0.0 apiVersion: v2 appVersion: "7" kubeVersion: ">=1.16.0-0" @@ -13,8 +13,8 @@ maintainers: email: dev@ixsystems.com dependencies: - name: common - repository: file://../../../common/2304.0.1 - version: 2304.0.1 + repository: file://../../../common + version: 1.2.3 home: https://github.com/WeeJeWel/wg-easy icon: https://media.sys.truenas.net/apps/wg-easy/icons/icon.png sources: diff --git a/library/ix-dev/charts/wg-easy/charts/common-1.2.3.tgz b/library/ix-dev/charts/wg-easy/charts/common-1.2.3.tgz new file mode 100644 index 0000000000..cddb9b05fb Binary files /dev/null and b/library/ix-dev/charts/wg-easy/charts/common-1.2.3.tgz differ diff --git a/library/ix-dev/charts/wg-easy/charts/common-2304.0.1.tgz b/library/ix-dev/charts/wg-easy/charts/common-2304.0.1.tgz deleted file mode 100644 index 10cd5d29b4..0000000000 Binary files a/library/ix-dev/charts/wg-easy/charts/common-2304.0.1.tgz and /dev/null differ diff --git a/library/ix-dev/charts/wg-easy/ci/test-values.yaml b/library/ix-dev/charts/wg-easy/ci/test-values.yaml index 3683884014..236726d9e0 100644 --- a/library/ix-dev/charts/wg-easy/ci/test-values.yaml +++ b/library/ix-dev/charts/wg-easy/ci/test-values.yaml @@ -1,22 +1,14 @@ -appVolumeMounts: +wgStorage: config: - emptyDir: true - mountPath: /etc/wireguard -dnsConfig: - options: [] -emptyDirVolumes: true -environmentVariables: [] -extraAppVolumeMounts: [] -hostNetwork: true -wgUDPPort: 30290 -webUIPort: 30921 -wgeasy: + type: pvc + +wgConfig: host: wg.domain.com password: secret - client_mtu: 1420 - keep_alive: 5 - client_address_range: 10.10.0.x - client_dns_server: "8.8.8.8" - allowed_ips: + clientMTU: 1420 + keepAlive: 5 + clientAddressRange: 10.10.0.x + clientDNSServer: "8.8.8.8" + allowedIPs: - 10.10.10.0/24 - 10.10.12.0/24 diff --git a/library/ix-dev/charts/wg-easy/metadata.yaml b/library/ix-dev/charts/wg-easy/metadata.yaml index dce85d8796..bd22d78e49 100644 --- a/library/ix-dev/charts/wg-easy/metadata.yaml +++ b/library/ix-dev/charts/wg-easy/metadata.yaml @@ -5,34 +5,8 @@ runAsContext: uid: 0 description: WG Easy runs as root user. capabilities: - - name: CHOWN - description: WG Easy is able to chown files. - - name: FOWNER - description: WG Easy is able to bypass permission checks for it's sub-processes. - - name: SYS_CHROOT - description: WG Easy is able to use chroot. - - name: MKNOD - description: WG Easy is able to create device nodes. - - name: DAC_OVERRIDE - description: WG Easy is able to bypass permission checks. - - name: FSETID - description: WG Easy is able to set file capabilities. - - name: KILL - description: WG Easy is able to kill processes. - - name: SETGID - description: WG Easy is able to set group ID for it's sub-processes. - - name: SETUID - description: WG Easy is able to set user ID for it's sub-processes. - - name: SETPCAP - description: WG Easy is able to set process capabilities. - - name: NET_BIND_SERVICE - description: WG Easy is able to bind to privileged ports. - - name: SETFCAP - description: WG Easy is able to set file capabilities. - name: NET_RAW description: WG Easy is able to use raw sockets. - - name: AUDIT_WRITE - description: WG Easy is able to write to audit log. - name: SYS_MODULE description: WG Easy is able to load kernel modules. - name: NET_ADMIN diff --git a/library/ix-dev/charts/wg-easy/migrations/migrate b/library/ix-dev/charts/wg-easy/migrations/migrate new file mode 100755 index 0000000000..1d9d1348a6 --- /dev/null +++ b/library/ix-dev/charts/wg-easy/migrations/migrate @@ -0,0 +1,94 @@ +#!/usr/bin/python3 +import json +import os +import sys + + +def migrate_common_lib(values): + delete_keys = [ + 'wgUDPPort', 'webUIPort', 'hostNetwork', 'cpuLimit', 'memLimit', + 'dnsConfig', 'environmentVariables', 'appVolumeMounts', + 'extraAppVolumeMounts', 'wgeasy', 'enableResourceLimits', + ] + + values.update({ + # Migrate Network + 'wgNetwork': { + 'udpPort': values['wgUDPPort'], + 'webPort': values['webUIPort'], + 'hostNetwork': values['hostNetwork'], + }, + # Migrate Resources + 'resources': { + 'limits': { + 'cpu': values.get('cpuLimit', '4000m'), + 'memory': values.get('memLimit', '8Gi'), + } + }, + # Migrate DNS + 'podOptions': { + 'dnsConfig': { + 'options': [ + {'name': opt['name'], 'value': opt['value']} + for opt in values.get('dnsConfig', {}).get('options', []) + ] + } + }, + # Migrate Config + 'wgConfig': { + 'host': values['wgeasy']['host'], + 'password': values['wgeasy'].get('password', ''), + 'keepAlive': values['wgeasy']['keep_alive'], + 'clientMTU': values['wgeasy']['client_mtu'], + 'clientAddressRange': values['wgeasy']['client_address_range'], + 'clientDNSServer': values['wgeasy']['client_dns_server'], + 'allowedIPs': values['wgeasy']['allowed_ips'], + 'additionalEnvs': values.get('environmentVariables', []), + }, + # Migrate Storage + 'wgStorage': { + 'config': { + 'type': 'hostPath', + 'hostPathConfig': { + 'hostPath': values['appVolumeMounts']['config']['hostPath'] + }, + } if values['appVolumeMounts']['config']['hostPathEnabled'] else { + 'type': 'ixVolume', + 'ixVolumeConfig': { + 'datasetName': values['appVolumeMounts']['config']['datasetName'], + }, + }, + 'additionalStorages': [ + { + 'type': 'hostPath', + 'hostPathConfig': {'hostPath': e['hostPath']}, + 'mountPath': e['mountPath'], + } + for e in values.get('extraAppVolumeMounts', []) + ], + }, + }) + + for k in delete_keys: + values.pop(k, None) + + return values + +def migrate(values): + if not 'wgeasy' in values.keys(): + return values + + + return migrate_common_lib(values) + + + +if __name__ == '__main__': + with open('in.json', 'r') as f: + print(json.dumps(migrate(json.loads(f.read())))) + if len(sys.argv) != 2: + exit(1) + + if os.path.exists(sys.argv[1]): + with open(sys.argv[1], 'r') as f: + print(json.dumps(migrate(json.loads(f.read())))) diff --git a/library/ix-dev/charts/wg-easy/questions.yaml b/library/ix-dev/charts/wg-easy/questions.yaml index 2dc6e6cb19..b76a3047e2 100644 --- a/library/ix-dev/charts/wg-easy/questions.yaml +++ b/library/ix-dev/charts/wg-easy/questions.yaml @@ -1,84 +1,93 @@ groups: - - name: Configuration - description: WG-Easy application configuration - - name: Storage - description: Configure storage for WG-Easy - - name: Networking - description: Networking Configuration for WG-Easy - - name: Advanced DNS Settings - description: Configure DNS settings - - name: Resource Limits - description: Set CPU/memory limits for Kubernetes Pod + - name: WG-Easy Configuration + description: Configure WG-Easy + - name: Advanced Pod Configuration + description: Configure Advanced Pod Options for WG-Easy + - name: Network Configuration + description: Configure Network for WG-Easy + - name: Storage Configuration + description: Configure Storage for WG-Easy + - name: Resources Configuration + description: Configure Resources for WG-Easy portals: web_portal: protocols: - - http + - "$kubernetes-resource_configmap_portal_protocol" host: - - $node_ip + - "$kubernetes-resource_configmap_portal_host" ports: - - $variable-webUIPort - path: / + - "$kubernetes-resource_configmap_portal_port" + path: "$kubernetes-resource_configmap_portal_path" questions: - - variable: wgUDPPort - label: WireGuard UDP Node Port for WG-Easy - group: Networking - schema: - type: int - min: 9000 - max: 65535 - default: 20920 - required: true - - variable: webUIPort - label: WebUI Node Port for WG-Easy - group: Networking - schema: - type: int - min: 9000 - max: 65535 - default: 20921 - required: true - - variable: hostNetwork - label: Host Network - group: Networking - schema: - type: boolean - default: true - - - variable: dnsConfig - label: DNS Configuration - group: Advanced DNS Settings + - variable: wgNetwork + label: "" + group: Network Configuration schema: type: dict attrs: - - variable: options - label: DNS Options + - variable: udpPort + label: Web Port + description: The port for the WG-Easy Wireguard service. schema: - type: list - items: - - variable: optionsEntry - label: Option Entry Configuration - schema: - type: dict - attrs: - - variable: name - label: Option Name - schema: - type: string - required: true - - variable: value - label: Option Value - schema: - type: string - required: true + type: int + default: 30057 + min: 9000 + max: 65535 + required: true + - variable: webPort + label: Web Port + description: The port for the WG-Easy Web UI. + schema: + type: int + default: 30058 + min: 9000 + max: 65535 + required: true + - variable: hostNetwork + label: Host Network + schema: + type: boolean + default: true - - variable: wgeasy - label: WG-Easy Configuration - group: Configuration + - variable: podOptions + label: "" + group: Advanced Pod Configuration + schema: + type: dict + attrs: + - variable: dnsConfig + label: Advanced DNS Configuration + schema: + type: dict + attrs: + - variable: options + label: DNS Options + schema: + type: list + items: + - variable: optionsEntry + label: DNS Option Entry + schema: + type: dict + attrs: + - variable: name + label: Option Name + schema: + type: string + required: true + - variable: value + label: Option Value + schema: + type: string + required: true + + - variable: wgConfig + label: "" + group: WG-Easy Configuration schema: type: dict - additional_attrs: true attrs: - variable: host label: Hostname or IP @@ -95,35 +104,35 @@ questions: type: string private: true default: "" - - variable: keep_alive + - variable: keepAlive label: Persistent Keep Alive description: Value in seconds to keep the "connection" open. If this value is 0, then connections won't be kept alive. schema: type: int required: true default: 0 - - variable: client_mtu + - variable: clientMTU label: Clients MTU description: The MTU the clients will use. schema: type: int required: true default: 1420 - - variable: client_address_range + - variable: clientAddressRange label: Clients IP Address Range description: Clients IP address range. schema: type: string required: true default: 10.8.0.x - - variable: client_dns_server + - variable: clientDNSServer label: Clients DNS Server description: Clients DNS Server. schema: type: string required: true default: "1.1.1.1" - - variable: allowed_ips + - variable: allowedIPs label: Allowed IPs description: Allowed IPs clients will use. If none provided, <0.0.0.0/0,::/0> will be used. schema: @@ -136,125 +145,296 @@ questions: type: string required: true default: "" - - - variable: environmentVariables - label: WG-Easy Environment - group: Configuration - schema: - type: list - default: [] - items: - - variable: environmentVariable - label: Environment Variable + - variable: additionalEnvs + label: Additional Environment Variables + description: Configure additional environment variables for WG-Easy. schema: - type: dict - attrs: - - variable: name - label: Name + type: list + default: [] + items: + - variable: env + label: Environment Variable schema: - type: string - required: true - default: "" - - variable: value - label: Value - schema: - type: string - default: "" - required: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: value + label: Value + schema: + type: string + required: true - - variable: appVolumeMounts - label: WG-Easy Storage - group: Storage + - variable: wgStorage + label: "" + group: Storage Configuration schema: type: dict attrs: - variable: config - label: Configuration Volume + label: WG-Easy Config Storage + description: The path to store WG-Easy Configuration. schema: type: dict attrs: - - variable: datasetName - label: Configuration Volume Dataset Name + - variable: type + label: Type + description: | + ixVolume: Is dataset created automatically by the system.
+ Host Path: Is a path that already exists on the system. schema: type: string - hidden: true + required: true + immutable: true + default: "ixVolume" + enum: + - value: "hostPath" + description: Host Path (Path that already exists on the system) + - value: "ixVolume" + description: ixVolume (Dataset created automatically by the system) + - variable: ixVolumeConfig + label: ixVolume Configuration + description: The configuration for the ixVolume dataset. + schema: + type: dict + show_if: [["type", "=", "ixVolume"]] $ref: - - normalize/ixVolume - show_if: [["hostPathEnabled", "=", false]] - default: ix-wg-easy_config - editable: false - - variable: mountPath - label: Configuration Mount Path - description: Path where the volume will be mounted inside the pod - schema: - type: path - hidden: true - editable: true - default: /etc/wireguard - - variable: hostPathEnabled - label: Enable Custom Host Path for WG-Easy Configuration Volume - schema: - type: boolean - default: false - show_subquestions_if: true - subquestions: - - variable: hostPath - label: Host Path for WG-Easy Configuration Volume + - "normalize/ixVolume" + attrs: + - variable: aclEnable + label: Enable ACL + description: Enable ACL for the dataset. schema: - type: hostpath + type: boolean + default: false + - variable: datasetName + label: Dataset Name + description: The name of the dataset to use for storage. + schema: + type: string required: true immutable: true + hidden: true + default: "config" + - variable: aclEntries + label: ACL Configuration + schema: + type: dict + show_if: [["aclEnable", "=", true]] + attrs: [] + - variable: hostPathConfig + label: Host Path Config + schema: + type: dict + show_if: [["type", "=", "hostPath"]] + attrs: + - variable: aclEnable + label: Enable ACL + description: Enable ACL for the dataset. + schema: + type: boolean + default: false + - variable: acl + label: ACL Configuration + schema: + type: dict + show_if: [["aclEnable", "=", true]] + attrs: [] $ref: - - validations/lockedHostPath + - "normalize/acl" + - variable: hostPath + label: Host Path + description: The host path to use for storage. + schema: + type: hostpath + show_if: [["aclEnable", "=", false]] + immutable: true + required: true + - variable: additionalStorages + label: Additional Storage + description: Additional storage for WG-Easy. + schema: + type: list + default: [] + items: + - variable: storageEntry + label: Storage Entry + schema: + type: dict + attrs: + - variable: type + label: Type + description: | + ixVolume: Is dataset created automatically by the system.
+ Host Path: Is a path that already exists on the system.
+ SMB Share: Is a SMB share that is mounted to a persistent volume claim. + schema: + type: string + required: true + default: "ixVolume" + immutable: true + enum: + - value: "hostPath" + description: Host Path (Path that already exists on the system) + - value: "ixVolume" + description: ixVolume (Dataset created automatically by the system) + - value: "smb-pv-pvc" + description: SMB Share (Mounts a persistent volume claim to a SMB share) + - variable: readOnly + label: Read Only + description: Mount the volume as read only. + schema: + type: boolean + default: false + - variable: mountPath + label: Mount Path + description: The path inside the container to mount the storage. + schema: + type: path + required: true + - variable: hostPathConfig + label: Host Path Config + schema: + type: dict + show_if: [["type", "=", "hostPath"]] + attrs: + - variable: aclEnable + label: Enable ACL + description: Enable ACL for the dataset. + schema: + type: boolean + default: false + - variable: acl + label: ACL Configuration + schema: + type: dict + show_if: [["aclEnable", "=", true]] + attrs: [] + $ref: + - "normalize/acl" + - variable: hostPath + label: Host Path + description: The host path to use for storage. + schema: + type: hostpath + show_if: [["aclEnable", "=", false]] + immutable: true + required: true + - variable: ixVolumeConfig + label: ixVolume Configuration + description: The configuration for the ixVolume dataset. + schema: + type: dict + show_if: [["type", "=", "ixVolume"]] + $ref: + - "normalize/ixVolume" + attrs: + - variable: aclEnable + label: Enable ACL + description: Enable ACL for the dataset. + schema: + type: boolean + default: false + - variable: datasetName + label: Dataset Name + description: The name of the dataset to use for storage. + schema: + type: string + required: true + immutable: true + default: "storage_entry" + - variable: aclEntries + label: ACL Configuration + schema: + type: dict + show_if: [["aclEnable", "=", true]] + attrs: [] + - variable: smbConfig + label: SMB Share Configuration + description: The configuration for the SMB Share. + schema: + type: dict + show_if: [["type", "=", "smb-pv-pvc"]] + attrs: + - variable: server + label: Server + description: The server for the SMB share. + schema: + type: string + required: true + - variable: share + label: Share + description: The share name for the SMB share. + schema: + type: string + required: true + - variable: domain + label: Domain (Optional) + description: The domain for the SMB share. + schema: + type: string + - variable: username + label: Username + description: The username for the SMB share. + schema: + type: string + required: true + - variable: password + label: Password + description: The password for the SMB share. + schema: + type: string + required: true + private: true + - variable: size + label: Size (in Gi) + description: The size of the volume quota. + schema: + type: int + required: true + min: 1 + default: 1 - - variable: extraAppVolumeMounts - label: Extra Host Path Volumes - group: Storage + - variable: resources + group: Resources Configuration + label: "" schema: - type: list - items: - - variable: extraAppVolume - label: Host Path Volume - description: Add an extra host path volume for WG-Easy application + type: dict + attrs: + - variable: limits + label: Limits schema: type: dict attrs: - - variable: mountPath - label: Mount Path in Pod - description: Path where the volume will be mounted inside the pod + - variable: cpu + label: CPU + description: CPU limit for WG-Easy. schema: - type: path + type: string + max_length: 6 + valid_chars: '^(0\.[1-9]|[1-9][0-9]*)(\.[0-9]|m?)$' + valid_chars_error: | + Valid CPU limit formats are
+ - Plain Integer - eg. 1
+ - Float - eg. 0.5
+ - Milicpu - eg. 500m + default: "4000m" required: true - - variable: hostPath - label: Host Path - description: Host path + - variable: memory + label: Memory + description: Memory limit for WG-Easy. schema: - type: hostpath + type: string + max_length: 12 + valid_chars: '^[1-9][0-9]*([EPTGMK]i?|e[0-9]+)?$' + valid_chars_error: | + Valid Memory limit formats are
+ - Suffixed with E/P/T/G/M/K - eg. 1G
+ - Suffixed with Ei/Pi/Ti/Gi/Mi/Ki - eg. 1Gi
+ - Plain Integer in bytes - eg. 1024
+ - Exponent - eg. 134e6 + default: "8Gi" required: true - $ref: - - validations/lockedHostPath - - - variable: enableResourceLimits - label: Enable Pod resource limits - group: Resource Limits - schema: - type: boolean - default: false - - variable: cpuLimit - label: CPU Limit resource limits - description: CPU resource limit allow plain integer values with suffix m(milli) e.g 1000m, 100. - group: Resource Limits - schema: - type: string - show_if: [["enableResourceLimits", "=", true]] - valid_chars: "^\\d+(?:\\.\\d+(?!.*m$)|m?$)" - default: 4000m - - variable: memLimit - label: Memory Limit - group: Resource Limits - description: Memory limits is specified by number of bytes. Followed by quantity suffix like E,P,T,G,M,k and Ei,Pi,Ti,Mi,Gi,Ki can also be used. e.g 129e6, 129M, 128974848000m, 123Mi - schema: - type: string - show_if: [["enableResourceLimits", "=", true]] - valid_chars: "^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" - default: 8Gi diff --git a/library/ix-dev/charts/wg-easy/templates/_migration.tpl b/library/ix-dev/charts/wg-easy/templates/_migration.tpl new file mode 100644 index 0000000000..9e147f7a1e --- /dev/null +++ b/library/ix-dev/charts/wg-easy/templates/_migration.tpl @@ -0,0 +1,25 @@ +{{- define "wgeasy.migration.checks" -}} + {{/* Safely access the context, so it wont block CI */}} + {{- if hasKey .Values.global "ixChartContext" -}} + {{- if not .Values.global.ixChartContext.upgradeMetadata -}} + {{- fail "Upgrade Metadata is missing. Cannot proceed" -}} + {{- end -}} + + {{- $oldChartVersion := .Values.global.ixChartContext.upgradeMetadata.oldChartVersion -}} + {{- $newChartVersion := .Values.global.ixChartContext.upgradeMetadata.newChartVersion -}} + + {{/* Explode versions */}} + {{- $oldV := semver $oldChartVersion -}} + {{- $newV := semver $newChartVersion -}} + + {{/* If new is v2.x.x */}} + {{- if eq ($newV.Major | int) 2 -}} + {{/* And old is v1.x.x, but lower than .11 */}} + {{- if and (eq $oldV.Major 1) (lt ($oldV.Patch | int) 11) -}} + {{/* Block the upgrade */}} + {{- fail "Migration to 2.x.x is only allowed from 1.0.11 or higher" -}} + {{- end -}} + {{- end -}} + + {{- end -}} +{{- end -}} diff --git a/library/ix-dev/charts/wg-easy/templates/_persistence.tpl b/library/ix-dev/charts/wg-easy/templates/_persistence.tpl new file mode 100644 index 0000000000..4f5d75ed6b --- /dev/null +++ b/library/ix-dev/charts/wg-easy/templates/_persistence.tpl @@ -0,0 +1,26 @@ +{{- define "wgeasy.persistence" -}} +persistence: + config: + enabled: true + {{- include "ix.v1.common.app.storageOptions" (dict "storage" .Values.wgStorage.config) | nindent 4 }} + targetSelector: + wgeasy: + wgeasy: + mountPath: /etc/wireguard + tmp: + enabled: true + type: emptyDir + targetSelector: + wgeasy: + wgeasy: + mountPath: /tmp + {{- range $idx, $storage := .Values.wgStorage.additionalStorages }} + {{ printf "wgeasy-%v:" (int $idx) }} + enabled: true + {{- include "ix.v1.common.app.storageOptions" (dict "storage" $storage) | nindent 4 }} + targetSelector: + wgeasy: + wgeasy: + mountPath: {{ $storage.mountPath }} + {{- end }} +{{- end -}} diff --git a/library/ix-dev/charts/wg-easy/templates/_portal.tpl b/library/ix-dev/charts/wg-easy/templates/_portal.tpl new file mode 100644 index 0000000000..d724f0098a --- /dev/null +++ b/library/ix-dev/charts/wg-easy/templates/_portal.tpl @@ -0,0 +1,12 @@ +{{- define "wgeasy.portal" -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: portal +data: + path: "/" + port: {{ .Values.wgNetwork.webPort | quote }} + protocol: http + host: $node_ip +{{- end -}} diff --git a/library/ix-dev/charts/wg-easy/templates/_service.tpl b/library/ix-dev/charts/wg-easy/templates/_service.tpl new file mode 100644 index 0000000000..4d35224bdf --- /dev/null +++ b/library/ix-dev/charts/wg-easy/templates/_service.tpl @@ -0,0 +1,21 @@ +{{- define "wgeasy.service" -}} +service: + wgeasy: + enabled: true + primary: true + type: NodePort + targetSelector: wgeasy + ports: + webui: + enabled: true + primary: true + port: {{ .Values.wgNetwork.webPort }} + nodePort: {{ .Values.wgNetwork.webPort }} + targetSelector: wgeasy + vpn: + enabled: true + port: {{ .Values.wgNetwork.udpPort }} + nodePort: {{ .Values.wgNetwork.udpPort }} + protocol: udp + targetSelector: wgeasy +{{- end -}} diff --git a/library/ix-dev/charts/wg-easy/templates/_wgeasy.tpl b/library/ix-dev/charts/wg-easy/templates/_wgeasy.tpl new file mode 100644 index 0000000000..70957a9a63 --- /dev/null +++ b/library/ix-dev/charts/wg-easy/templates/_wgeasy.tpl @@ -0,0 +1,84 @@ +{{- define "wgeasy.workload" -}} +workload: + wgeasy: + enabled: true + primary: true + type: Deployment + podSpec: + hostNetwork: {{ .Values.wgNetwork.hostNetwork }} + containers: + wgeasy: + enabled: true + primary: true + imageSelector: image + {{/* https://github.com/WeeJeWel/wg-easy/pull/394 */}} + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + - SYS_MODULE + env: + WG_PORT: {{ .Values.wgNetwork.udpPort }} + PORT: {{ .Values.wgNetwork.webPort }} + WG_HOST: {{ .Values.wgConfig.host | quote }} + PASSWORD: {{ .Values.wgConfig.password | quote }} + WG_PERSISTENT_KEEPALIVE: {{ .Values.wgConfig.keepAlive }} + WG_MTU: {{ .Values.wgConfig.clientMTU }} + WG_DEFAULT_ADDRESS: {{ .Values.wgConfig.clientAddressRange }} + WG_DEFAULT_DNS: {{ .Values.wgConfig.clientDNSServer }} + WG_ALLOWED_IPS: {{ join "," .Values.wgConfig.clientAllowedIPs | default "0.0.0.0/0,::/0" | quote }} + fixedEnv: + PUID: 0 + {{ with .Values.wgConfig.additionalEnvs }} + envList: + {{ range $env := . }} + - name: {{ $env.name }} + value: {{ $env.value }} + {{ end }} + {{ end }} + probes: + liveness: + enabled: true + type: http + port: {{ .Values.wgNetwork.webPort }} + path: / + readiness: + enabled: true + type: http + port: {{ .Values.wgNetwork.webPort }} + path: / + startup: + enabled: true + type: http + port: {{ .Values.wgNetwork.webPort }} + path: / + {{ $ip := .Values.wgConfig.clientAddressRange | replace "x" "0" }} + lifecycle: + preStop: + type: exec + command: + - /bin/bash + - -c + - | + echo "Deleting routes created by the app..." + netmask=$(ip route | grep {{ $ip }}) + netmask=$(echo $netmask | grep -o -E '/.\d*') + netmask=${netmask#/} + echo "Matched routes to delete... {{ $ip }}/$netmask" + # Don't try to delete routes if steps above didn't grep-ed anything + if [ ! "$netmask" == "" ]; then + ip route del {{ $ip }}/$netmask || echo "Route deletion failed..." + fi + echo "Routes deleted..." + interface=$(ip a | grep wg0) + if [ ! "$interface" == "" ]; then + echo "Removing wg0 interface..." + ip link delete wg0 + echo "Removed wg0 interface..." + fi +{{- end -}} diff --git a/library/ix-dev/charts/wg-easy/templates/common.yaml b/library/ix-dev/charts/wg-easy/templates/common.yaml new file mode 100644 index 0000000000..5cc27b1d61 --- /dev/null +++ b/library/ix-dev/charts/wg-easy/templates/common.yaml @@ -0,0 +1,14 @@ +{{/* Apply helm migrations */}} +{{- include "ix.v1.common.loader.init" . -}} + +{{- include "wgeasy.migration.checks" . -}} + +{{/* Merge the templates with Values */}} +{{- $_ := mustMergeOverwrite .Values (include "wgeasy.workload" $ | fromYaml) -}} +{{- $_ := mustMergeOverwrite .Values (include "wgeasy.service" $ | fromYaml) -}} +{{- $_ := mustMergeOverwrite .Values (include "wgeasy.persistence" $ | fromYaml) -}} + +{{/* Create the configmap for portal manually*/}} +{{- include "wgeasy.portal" $ -}} + +{{- include "ix.v1.common.loader.apply" . -}} diff --git a/library/ix-dev/charts/wg-easy/templates/deployment.yaml b/library/ix-dev/charts/wg-easy/templates/deployment.yaml deleted file mode 100644 index 65cd8bed93..0000000000 --- a/library/ix-dev/charts/wg-easy/templates/deployment.yaml +++ /dev/null @@ -1,136 +0,0 @@ -{{ include "common.storage.hostPathValidate" .Values }} -apiVersion: {{ template "common.capabilities.deployment.apiVersion" . }} -kind: Deployment -metadata: - name: {{ template "common.names.fullname" . }}-wg - labels: - app: {{ template "common.names.name" . }} - chart: {{ template "common.names.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - rollme: {{ randAlphaNum 5 | quote }} -spec: - replicas: {{ (default 1 .Values.replicas) }} - strategy: - type: "Recreate" - selector: - matchLabels: - app: {{ template "common.names.name" . }} - release: {{ .Release.Name }} - template: - metadata: - name: {{ template "common.names.fullname" . }} - labels: - {{- include "common.labels.selectorLabels" . | nindent 8 }} - annotations: {{ include "common.annotations" . | nindent 8 }} - spec: - hostNetwork: {{ .Values.hostNetwork }} - hostname: {{ .Release.Name }} - containers: - - name: {{ .Chart.Name }} - {{ include "common.resources.limitation" . | nindent 10 }} - {{ include "common.containers.imageConfig" .Values.image | nindent 10 }} - securityContext: - capabilities: - add: - - NET_ADMIN - - SYS_MODULE - {{/* https://github.com/WeeJeWel/wg-easy/pull/394 */}} - runAsUser: 0 - runAsGroup: 0 - readOnlyRootFilesystem: false - runAsNonRoot: false - volumeMounts: {{ include "common.storage.configureAppVolumeMountsInContainer" .Values | nindent 12 }} - {{ range $index, $hostPathConfiguration := .Values.extraAppVolumeMounts }} - - name: extrappvolume-{{ $index }} - mountPath: {{ $hostPathConfiguration.mountPath }} - {{ end }} - ports: - - name: udp - containerPort: {{ .Values.wgUDPPort }} - protocol: UDP - {{- if not .Values.hostNetwork }} - hostPort: null - {{- end }} - - name: web - containerPort: {{ .Values.webUIPort }} - {{- if not .Values.hostNetwork }} - hostPort: null - {{- end }} - env: - {{ $wgeasy := .Values.wgeasy }} - {{ $envList := (default list .Values.environmentVariables) }} - {{ $envList = mustAppend $envList (dict "name" "WG_HOST" "value" $wgeasy.host) }} - {{ $envList = mustAppend $envList (dict "name" "PASSWORD" "value" $wgeasy.password) }} - {{ $envList = mustAppend $envList (dict "name" "WG_PORT" "value" .Values.wgUDPPort) }} - {{ $envList = mustAppend $envList (dict "name" "PORT" "value" .Values.webUIPort) }} - {{ $envList = mustAppend $envList (dict "name" "WG_PERSISTENT_KEEPALIVE" "value" $wgeasy.keep_alive) }} - {{ $envList = mustAppend $envList (dict "name" "WG_MTU" "value" $wgeasy.client_mtu) }} - {{ $envList = mustAppend $envList (dict "name" "WG_DEFAULT_ADDRESS" "value" $wgeasy.client_address_range) }} - {{ $envList = mustAppend $envList (dict "name" "WG_DEFAULT_DNS" "value" $wgeasy.client_dns_server) }} - {{ if $wgeasy.allowed_ips }} - {{ $envList = mustAppend $envList (dict "name" "WG_ALLOWED_IPS" "value" (join "," $wgeasy.allowed_ips)) }} - {{ else }} - {{ $envList = mustAppend $envList (dict "name" "WG_ALLOWED_IPS" "value" ("0.0.0.0/0,::/0")) }} - {{ end }} - {{ include "common.containers.environmentVariables" (dict "environmentVariables" $envList) | nindent 12 }} - readinessProbe: - httpGet: - path: / - port: {{ .Values.webUIPort }} - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 5 - successThreshold: 2 - livenessProbe: - httpGet: - path: / - port: {{ .Values.webUIPort }} - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 5 - successThreshold: 1 - startupProbe: - httpGet: - path: / - port: {{ .Values.webUIPort }} - initialDelaySeconds: 10 - periodSeconds: 5 - timeoutSeconds: 2 - failureThreshold: 60 - successThreshold: 1 - {{ $ip := .Values.wgeasy.client_address_range | replace "x" "0" }} - lifecycle: - preStop: - exec: - command: - - /bin/bash - - -c - - | - echo "Deleting routes created by the app..." - netmask=$(ip route | grep {{ $ip }}) - netmask=$(echo $netmask | grep -o -E '/.\d*') - netmask=${netmask#/} - echo "Matched routes to delete... {{ $ip }}/$netmask" - # Don't try to delete routes if steps above didn't grep-ed anything - if [ ! "$netmask" == "" ]; then - ip route del {{ $ip }}/$netmask || echo "Route deletion failed..." - fi - echo "Routes deleted..." - interface=$(ip a | grep wg0) - if [ ! "$interface" == "" ]; then - echo "Removing wg0 interface..." - ip link delete wg0 - echo "Removed wg0 interface..." - fi - -{{ include "common.networking.dnsConfiguration" .Values | nindent 6 }} - volumes: {{ include "common.storage.configureAppVolumes" .Values | nindent 8 }} - {{ range $index, $hostPathConfiguration := .Values.extraAppVolumeMounts }} - - name: extrappvolume-{{ $index }} - hostPath: - path: {{ $hostPathConfiguration.hostPath }} - {{ end }} diff --git a/library/ix-dev/charts/wg-easy/templates/service.yaml b/library/ix-dev/charts/wg-easy/templates/service.yaml deleted file mode 100644 index 42d960b193..0000000000 --- a/library/ix-dev/charts/wg-easy/templates/service.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{ $selectors := list }} -{{ $selectors = mustAppend $selectors (dict "key" "app" "value" (include "common.names.name" .) ) }} -{{ $selectors = mustAppend $selectors (dict "key" "release" "value" .Release.Name ) }} -{{ $ports := list }} -{{- if not .Values.hostNetwork }} -{{ $ports = mustAppend $ports (dict "name" "web" "port" .Values.webUIPort "nodePort" .Values.webUIPort "targetPort" .Values.webUIPort) }} -{{ $ports = mustAppend $ports (dict "name" "udp" "port" .Values.wgUDPPort "nodePort" .Values.wgUDPPort "targetPort" .Values.wgUDPPort "protocol" "UDP") }} -{{- else }} -{{ $ports = mustAppend $ports (dict "name" "web" "port" .Values.webUIPort "targetPort" .Values.webUIPort) }} -{{ $ports = mustAppend $ports (dict "name" "udp" "port" .Values.wgUDPPort "targetPort" .Values.wgUDPPort "protocol" "UDP") }} -{{- end }} -{{ $params := . }} -{{- if not .Values.hostNetwork }} -{{ $_ := set $params "commonService" (dict "type" "NodePort" "ports" $ports ) }} -{{- else }} -{{ $_ := set $params "commonService" (dict "type" "ClusterIP" "ports" $ports ) }} -{{- end }} -{{ $_1 := set .Values "extraSelectorLabels" $selectors }} -{{ include "common.classes.service" $params }} diff --git a/library/ix-dev/charts/wg-easy/to_keep_versions.md b/library/ix-dev/charts/wg-easy/to_keep_versions.md new file mode 100644 index 0000000000..11b0cc322b --- /dev/null +++ b/library/ix-dev/charts/wg-easy/to_keep_versions.md @@ -0,0 +1,4 @@ +# 1.0.12 + +This version is kept because it contains a fix that is needed for migration to v2.x.x +It should be safe to remove few months after v2.x.x is released. diff --git a/library/ix-dev/charts/wg-easy/to_keep_versions.yaml b/library/ix-dev/charts/wg-easy/to_keep_versions.yaml new file mode 100644 index 0000000000..fdc614bcae --- /dev/null +++ b/library/ix-dev/charts/wg-easy/to_keep_versions.yaml @@ -0,0 +1 @@ +- 1.0.12 diff --git a/library/ix-dev/charts/wg-easy/values.yaml b/library/ix-dev/charts/wg-easy/values.yaml index 9fa0a8f646..824b74b989 100644 --- a/library/ix-dev/charts/wg-easy/values.yaml +++ b/library/ix-dev/charts/wg-easy/values.yaml @@ -2,3 +2,34 @@ image: pullPolicy: IfNotPresent repository: weejewel/wg-easy tag: "7" + +resources: + limits: + cpu: 4000m + memory: 8Gi + +podOptions: + dnsConfig: + options: [] + +wgNetwork: + udpPort: 30057 + webPort: 30058 + hostNetwork: true + +wgConfig: + host: '' + password: '' + keepAlive: 0 + clientMTU: 1420 + clientAddressRange: 10.8.0.x + clientDNSServer: "1.1.1.1" + allowedIPs: [] + additionalEnvs: [] + +wgStorage: + config: + type: ixVolume + ixVolumeConfig: + datasetName: config + additionalStorages: []